Disabling Null Sessions via GPO

Good Day,

We are attempting to disable all Null sessions.

Step attempted thus far,

Changes were made to the following security policies and applied via GPO:
1.      Network access: Allow anonymous SID/Name translation-Disable
2.       Network access: Do not allow anonymous enumeration of SAM accounts-Enable
3.       Network access: Do not allow anonymous enumeration of SAM accounts and shares -Enable
4.       Network access: Let everyone permissions apply to anonymous users -Disable
5.       Network access: Named Pipes that can be accessed anonymously (this policy disengage us from using our c$ share)-Cleared List
6.       Network access: Shares that can be accessed anonymously-Cleared list


 Issue: After we made those changes it was expected that when we ran the following command net use \\pc\ipc$ "" /u:"" the result would have been unsuccessful. However after the changes were implemented, null sessions are still connecting.

what can we do to disable null sessions in our environment??

Our Environment-
Active Directory built on 2008 r2
Windows Server-2012, 2008r2, 2008, 2003r2, 2003, 2000
Pc Operating system- Window 7 and Xp
ernie_shahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you want security and you have 2003r2, 2003, 2000 versions active? 2003 EOL in 21 days, 2000 no longer supported.

Easiest way is to disable netbios otherwise
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous
Type: DWORD
Value: 0
requires reboot.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Also consider to remove anonymous authentication and Everyone from the Builtin group Pre-Windows 2000 Compatible Access. Do check the gpresult has these effected and updated into the server. Good to reboot if poss so that all existing session can be reconnected - do assess any impact too..

But do also note the caveat via the registry approach (not really the GPO) in old Windows version to make sure it is disable
Note Even with the RestrictAnonymous registry value set to 1, there are Win32 programming interfaces that do not restrict anonymous connections. Therefore, tools that use these interfaces can still enumerate information over a null session even when the RestrictAnonymous registry value is set to 1.

Finally, when this registry value is set to 2, no access is granted without explicit anonymous permissions. Therefore, no null sessions are possible, not even through Win32 programming interfaces. Generally, we do not recommend that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level client computers such as Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98.
https://support.microsoft.com/en-us/kb/890161
0
ernie_shahAuthor Commented:
Thanks for your response

However we tested  disabling the netbios as well as applying the change to the registry on a client PC, but we are still able to establish a Null session.

Are their any  other options that we may attempt?

Regards
vicky
0
btanExec ConsultantCommented:
disabling null for windows is the best you can enforce and do make sure it is done on the default domain policy and it is best to use network or personal firewall to stop such SMB sharing such as blocking access to the ports associated with NetBIOS and SMB over TCP/IP. e.g. TCP Port 135, UDP Port 137, UDP Port 138, TCP Port 139, TCP and UDP Port 445

Check this out as past experience has this similar challenge
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_24203583.html#a23848586

Check again to disable SMB support by Disable NetBIOS over TCP/IP support AND Stop the server (lanmanserver) service. Also in Windows 2000: remove EVERYONE from the Pre-Windows 2000 Compatible Access alias, in Windows 2003: verify that ANONYMOUS LOGON is not in the PreWindows 2000 Compatible Access alias
0
btanExec ConsultantCommented:
just to note that LLMNR (Link-local Multicast Name Resolution) is the successor of NetBIOS.  In Microsoft operating systems, this option and LLMNR functionality are only included on Windows Vista and Windows Server 2008. But why I highlighted this is similarly it is a threat such that such there is exploit (in tool) which forges LLMNR responses by listening for LLMNR requests sent to the LLMNR multicast address (224.0.0.252) and responding with a user-defined spoofed IP address.

In short, as it enable Network Discovery on all nodes on the local subnet, it poses opening to ad-hoc network to be setup where Network Discovery, File Sharing, Public Folder Sharing and Printer Sharing can be done ... in fact ,  Network and Sharing Center is most likely going to classify those ad hoc network as a Public network.  This classification, in addition to enforcing the public firewall profile, will turn off such services stated earlier... in a way also stop such null session attempts...

in case you are interested (I know you have Win2K3) -  To disable it, it is using Group Policy = Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution. (Enabled = Don't use LLMNR, Disabled = Use LLMNR)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.